---
- name: Install IPA client packages
  package:
    name:
      - freeipa-client
    state: present
  tags:
    - ipa/client
    - packages

- name: Enable VPN hosts to talk to IPA
  import_tasks: vpn.yml
  tags:
    - ipa/client
    - vpn-client-enablement

- name: Enroll system as IPA client
  command:
    cmd: ipa-client-install
         {% if (vpn | default(false)) %}{% for node in ipa_server_nodes | default([]) %}
         --server={{ node }}
         {% endfor %}{% endif %}
         --hostname={{ inventory_hostname }}
         --domain={{ ipa_realm | lower }}
         --realm={{ ipa_realm }}
         -p admin -w {{ ipa_admin_password }}
         -U -N --force-join
         --mkhomedir
         --no-ssh
    creates: /etc/ipa/default.conf
  notify: clean sss caches
  tags:
    - ipa/client
    - config

- name: Prepare IPA-related information to make the following more efficient
  delegate_to: localhost
  import_tasks: prepare-ipa-info.yml
  tags:
    - ipa/client
    - config
  run_once: yes

- name: Basic configuration for clients on IPA cluster
  delegate_to: localhost
  import_tasks: common.yml
  tags:
    - ipa/client
    - config
  run_once: yes

- name: Configure HBAC on IPA cluster
  delegate_to: "{{ ipa_server }}"
  import_tasks: hbac.yml
  tags:
    - ipa/client
    - config
  run_once: yes

- name: Configure sudo on IPA cluster
  delegate_to: "{{ ipa_server }}"
  import_tasks: sudo.yml
  tags:
    - ipa/client
    - config
  run_once: yes

- name: Ensure that nss knows to skip certain users
  template: src=fedora-nss-ignore.conf.j2 dest=/etc/sssd/conf.d/fedora-nss-ignore.conf mode=600 owner=root group=root
  tags:
  - ipa/client
  - config
  notify:
    - restart sssd
    - clean sss caches

- meta: flush_handlers
